Interpark customer data breach
South Korean police attributed a breach of online retailer Interpark — exposing the personal data of more than 10 million shoppers — to North Korea's intelligence agency, which used spearphishing and then demanded a multi-million-dollar bitcoin ransom.
- Victim
- Interpark
- records
- 10.3M
- users
- 10.3M
In 2016, South Korean police made a striking attribution: the breach of major online retailer Interpark, which exposed the data of more than 10 million customers, had been carried out by North Korea's intelligence service — and was followed by a multi-million-dollar ransom demand.
What happened
According to South Korea's National Police Agency, North Korea's Reconnaissance General Bureau breached Interpark's network in May 2016 using a spearphishing email aimed at a specific employee. The malicious attachment let the attackers plant malware and move laterally across Interpark's servers, ultimately reaching the customer database.
The intruders exfiltrated personal data on more than 10 million shoppers, including names, email addresses, phone numbers, home addresses and other account details.
The ransom twist
What made the incident unusual was the financial demand. After stealing the data, the attackers emailed Interpark executives demanding roughly 3 billion won — about US$2.66 million — in bitcoin, threatening to leak the records otherwise. Interpark refused to pay and reported the extortion to authorities. Investigators concluded the operation blended state intelligence tradecraft with criminal monetisation, consistent with North Korea's pattern of using cyber operations to raise hard currency.
Impact and aftermath
- Over 10 million Interpark customers had personal data exposed.
- In December 2016, the Korea Communications Commission fined Interpark about 4.5 billion won for failing to adequately protect customer information — among the largest such penalties in Korea at the time.
- In November 2020, a Seoul court ordered Interpark to compensate more than 2,400 customers roughly 100,000 won each for the leak.
Why it matters
The Interpark breach is a defining example of state-sponsored hacking fused with extortion. It showed that a nation-state actor would target a commercial retailer not only for intelligence but for direct financial gain via ransom — foreshadowing the ransomware-and-extortion playbook later associated with North Korean groups such as Lazarus. For South Korea, it reinforced that consumer-facing companies are squarely in the firing line of geopolitical cyber conflict, and it strengthened the regulatory expectation that retailers invest seriously in anti-phishing defences and data protection.
Financial impact
Reported costs in USD
Timeline
North Korea's Reconnaissance General Bureau breaches Interpark's servers via a spearphishing email targeting an employee.
Attackers exfiltrate personal data on more than 10 million Interpark shoppers.
The attackers email Interpark executives demanding about 3 billion won (~US$2.66 million) in bitcoin; the company refuses to pay and alerts authorities.
South Korean police publicly attribute the attack to North Korea.
The Korea Communications Commission fines Interpark about 4.5 billion won for failing to protect customer data.
A Seoul court orders Interpark to compensate more than 2,400 customers about 100,000 won each.
Sources
- koreatimes.co.krhttps://www.koreatimes.co.kr/southkorea/20160728/breaking-n-korea-behind-interparks-massive-customer-data-leak-police
- securityaffairs.comhttps://securityaffairs.com/49821/cyber-warfare-2/north-korea-hacked-interpark.html
- washingtontimes.comhttps://www.washingtontimes.com/news/2016/jul/28/north-korean-spies-accused-massive-data-breach-aff/
- databreaches.nethttps://www.databreaches.net/kr-court-orders-online-mall-to-compensate-2400-customers-for-data-leak/